See all posts

Event Summary: fwd:cloudsec North America 2024

We believe that fwd:cloudsec is the best venue for cloud security professionals. It provides an arena for cloud security researchers and practitioners to come together and discuss everything moving in the cloud security space. The conference is also live-streamed, and content is posted on YouTube shortly after, ensuring that the valuable insights and knowledge shared are accessible to anyone. I am now even more excited about fwd:cloudsec Europe, which will happen in September, and I am proud to say that O3C is a sponsor!

4 minJun 20, 2024
Karim El-Melhaoui
Karim El-MelhaouiPrincipal Security Architect & Partner
Karim El-Melhaoui

Before the conference

I was lucky enough to have some extra time in Washington and decided to spend it with fellow cloudsec enthusiasts. We decided to visit the National Air and Space Museum, which is worth a visit if you are in the DC area.

As part of the organizer team for fwd:cloudsec Europe, I also had the opportunity to attend the dinner for speakers the day before the event.

Conference

What I love about fwd:cloudsec is that the content is practitioner-focused; people share actual stories from implementations with all the nuances involved rather than “paper best practices.” I want to highlight a few sessions I can recommend watching for anyone working in cloud security!

I’ve selected a few talks I want to highlight and that I would recommend anyone watch. As I write this, I am watching some of the sessions I missed due to parallel tracks, so I will only mention a few of the sessions I got to attend. Not a single session disappointed me this year!

I'm Doing My Part! By Mapping Cloud Incidents to ATT&CK Techniques - Casey Knerr

I’ve found applying the MITRE ATT&CK Framework to the cloud difficult. In the session, Casey from MITRE demonstrated a practical example of how cloud threats can be mapped to the framework. The session showcased specific threat intelligence reports where the framework has been applied, examples of where it may be difficult, and tools that can help you, such as the CISA Best Practices for ATT&CK Mapping.

The session can be found here: https://www.youtube.com/watch?v=eV7QOjUkwW8&ab_channel=fwd%3Acloudsec

One Click, Six Services: Abusing The Dangerous Multi-service Orchestration Pattern - Liv Matan

The session demonstrates some underlying weaknesses in Google Cloud. He demonstrates how provisioning Cloud Functions in Google Cloud creates more services in your organization that are configured insecurely, and the provisioning happens behind the scenes.

What I love about this session is that it demonstrates several important aspects that apply to understanding cloud security in detail:

  • How a service offered by a Cloud Service Provider depends on other services that are customer-owned
  • What methods did he apply to discover the creation and configuration of these services? This approach can be used to perform security research.
  • How to understand risks related to a service.

Liv conveys the research in a way that makes the session entertaining because of his findings, but it can also be applied to your methodology for assessing cloud services.

The session can be found here: https://www.youtube.com/watch?v=I3YQJXVbpII&ab_channel=fwd%3Acloudsec

Forged in Fire: Forging Multi-Cloud Open Source Swiss-Army Knife - Toni de la Fuente & Sergio Garcia

I’m a big fan of using Prowler to get an overview of cloud environments. Prowler was the first tool I was introduced to for benchmarking your AWS environment’s security. Fast forward many years, Toni and his team have now developed Prowler into a multi-cloud security solution, and there are many reasons you should follow the project on GitHub.

In the session, Toni and Sergio discuss how they’ve continued developing Prowler, covering the difficulties of interacting with the numerous cloud platforms, their limitations, and how to create a unified vocabulary for their finding format for multi-cloud assessments.

If you're working with multi-cloud and automation or are just curious about what it would entail, this session is worth watching.

The session can be found here: https://www.youtube.com/watch?v=4v6Y6NZne8c&ab_channel=fwd%3Acloudsec

The EKS Hacking Playbook: Lessons From 3 Years of Cloud Security Research

The Wiz research team has demonstrated an ability to break almost any cloud solution. Watching Nir and Hillai present their EKS hacking playbook gave insights into how to identify possible risks on container-based workloads hosted by cloud providers by extracting the credentials from the Instance Metadata Service. They demonstrate how this technique was used to upload a malicious AI model to Hugging Face, and with the instance credentials, they could access other customers’ data.

One thing that came up in the session is that enforcing the Instance Metadata Service V2 and setting HttpPutResponseHopLimit to 1 would prevent this altogether. Let’s continue to hope that cloud providers will enforce secure defaults, especially for managed services like EKS.

The session can be found here: https://www.youtube.com/watch?v=HcNmkCRXFdE&ab_channel=fwd%3Acloudsec

Hallwaycon

There’s a lot of talk about “Hallwaycon,” the casual conversations between sessions or post-conference. For me, those conversations are valuable enough to justify the travel. Catching up with fellow cloud security researchers and practitioners inspires me to improve practices, discover insecurities, and challenge cloud providers to do better. This year, I met many new people and existing friends.